This invention relates to digital computer network technology. More specifically, it relates to methods and apparatus for facilitating processing and routing of packets in Virtual Private Networks (VPNs).
Broadband access technologies such as cable, fiber optic, and wireless have made rapid progress in recent years. Recently there has been a convergence of voice and data networks which is due in part to US deregulation of the telecommunications industry. In order to stay competitive, companies offering broadband access technologies need to support voice, video, and other high-bandwidth applications over their local access networks. For networks that use a shared access medium to communicate between subscribers and the service provider (e.g., cable networks, wireless networks, etc.), providing reliable high-quality voice/video communication over such networks is not an easy task.
A cable modem network or xe2x80x9ccable plantxe2x80x9d employs cable modems, which are an improvement of conventional PC data modems and provide high speed connectivity. Cable modems are therefore instrumental in transforming the cable system into a full service provider of video, voice and data telecommunications services. Digital data on upstream and downstream channels of the cable network is carried over radio frequency (xe2x80x9cRFxe2x80x9d) carrier signals. Cable modems convert digital data to a modulated RF signal for upstream transmission and convert downstream RF signal to digital form. The conversion is done at a subscriber""s home. At a cable modem termination system (xe2x80x9cCMTSxe2x80x9d) located at a Head End of the cable network, the conversions are reversed. The CMTS converts downstream digital data to a modulated RF signal, which is carried over the fiber and coaxial lines to the subscriber premises. The cable modem then demodulates the RF signal and feeds the digital data to a computer. On the return path, the digital data is fed to the cable modem (from an associated PC for example), which converts it to a modulated RF signal. Once the CMTS receives the upstream RF signal, it demodulates it and transmits the digital data to an external source.
FIG. 1 is a block diagram of a typical two-way hybrid fiber-coaxial (HFC) cable network system. It shows a Head End 102 (essentially a distribution hub) which can typically service about 40,000 homes. Head End 102 contains a CMTS 104 that is needed when transmitting and receiving data using cable modems. Primary functions of the CMTS include (1) receiving baseband data inputs from external sources 100 and converting the data for transmission over the cable plant (e.g., converting Ethernet or ATM baseband data to data suitable for transmission over the cable system); (2) providing appropriate Media Access Control (MAC) level packet headers for data received by the cable system, and (3) modulating and demodulating the data to and from the cable system.
Head End 102 connects through pairs of fiber optic lines 106 (one line for each direction) to a series of fiber nodes 108. Each Head End can support normally up to 80 fiber nodes. Pre-HFC cable systems used coaxial cables and conventional distribution nodes. Since a single coaxial cable was capable of transmitting data in both directions, one coaxial cable ran between the Head End and each distribution node. In addition, because cable modems were not used, the Head End of pre-HFC cable systems did not contain a CMTS. Returning to FIG. 1, each of the fiber nodes 108 is connected by a coaxial cable 110 to two-way amplifiers or duplex filters 112, which permit certain frequencies to go in one direction and other frequencies to go in the opposite direction (different frequency ranges are used for upstream and downstream paths). Each fiber node 108 can normally service up to 500 subscribers. Fiber node 108, coaxial cable 110, two-way amplifiers 112, plus distribution amplifiers 114 along with trunk line 116, and subscriber taps, i.e. branch lines 118, make up the coaxial distribution system of an HFC system. Subscriber tap 118 is connected to a cable modem 120. Cable modem 120 is, in turn, connected to a subscriber computer 122.
In order for data to be able to be transmitted effectively over a wide area network such as HFC or other broadband computer networks, a common standard for data transmission is typically adopted by network providers. A commonly used and well known standard for transmission of data or other information over HFC networks is DOCSIS. The DOCSIS standard has been publicly presented as a draft recommendation (J.isc Annex B) to Study Group 9 of the ITU in October 1997. That document is incorporated herein by reference for all purposes.
Virtual Private Networks
As the Public Internet expands and extends its infrastructure globally, the determination to exploit this infrastructure has led to widespread interest in IP based Virtual Private Networks (VPNs). A VPN emulates a private IP network over public or shared infrastructures. A VPN that supports only IP traffic is called an IP-VPN. Virtual Private Networks provide advantages to both the service provider and its customers. For its customers, a VPN can extend the IP capabilities of a corporate site to remote offices and/or users with intranet, extranet, and dial-up services. This connectivity may be achieved at a lower cost to the customer with savings in capital equipment, operations, and services. The service provider is able to make better use of its infrastructure and network administration expertise offering IP VPN connectivity and/or services to its customers.
There are many ways in which IP VPN services may be implemented, such as, for example, Virtual Leased Lines, Virtual Private Routed Networks, Virtual Private Dial Networks, Virtual Private LAN Segments, etc. Additionally VPNs may be implemented using a variety of protocols, such as, for example, IP Security (IPSec) Protocol, Layer 2 Tunneling Protocol, Multiprotocol Label Switching (MPLS) Protocol, etc.
A conventional technique for implementing a VPN across a wide area network may be accomplished through the use of an IP Security (IPSec) Protocol which establishes a secure IPSec xe2x80x9ctunnelxe2x80x9d between a remote user/node and a private LAN. An example of this is shown in FIG. 2 of the drawings. FIG. 2 shows a schematic block diagram of how an IPSec Protocol may be used to manage Virtual Private Network (VPN) flows over an HFC network. As shown in FIG. 2, the HFC network 220 comprises a plurality of cable modems, depicted by cable modems CM1-CM5. In the example of FIG. 2, it is assumed that cable modems CM4 and CM5 are remote nodes which are members of the Virtual Private Network VPN1. The VPN1 network is owned and/or managed by Enterprise A 250. The remaining cable modems in the cable network CM1, CM2, CM3 (collectively identified by reference number 205) are not members of any VPN.
In order for cable modem CM4 to communicate with the VPN1 network located at Enterprise A, it utilizes an IPSec Protocol to establish an IPSec xe2x80x9ctunnelxe2x80x9d 202a which provides a secure communication path from CM4, across the HFC network 220 and backbone network 230, to the VPN1 gateway 252. Likewise, in order for cable modem CM5 to connect to the virtual private network VPN1 located at Enterprise A, it utilizes the IPSec Protocol to establish a secure tunnel 204a across the HFC network 220 and backbone network 230 to connect into the virtual private network VPN1 via gateway 252.
Although the use of IPSec Protocol to manage VPN flows across a public network (as shown, for example, in FIG. 2) is advantageous in that it provides secure end-to-end data encryption, it also suffers from a number of disadvantages. For example, a significant amount of overhead (e.g. memory/processing resources) is required to run IPSec on the endpoints of the IPSec tunnel. Additionally, implementing a VPN using IPSec Protocol requires additional intelligence to be incorporated in each of the end devices (e.g., PCs, cable modems, gateways, etc.). In FIG. 2, for example, each cable modem wishing to be a member of a particular VPN must be configured to support IPSec Protocol, and must also be specifically configured to access a specific VPN gateway in order to access the VPN network. This technique of maintaining the intelligence in the end device (such as, for example a cable modem) may be considered undesirable, particularly where software upgrades, maintenance, diagnostics, etc. are frequently required.
Another disadvantage of the IPSec-implemented VPN (as shown in FIG. 2) is that the IPSec Protocol is set up such that the routing information embedded within a VPN packet can only be used by a specific VPN gateway, and can not be used by other switching or routing devices in the network to switch/route the VPN packet to its destination address. Thus, any data transmission between cable modem CM4 and cable modem CM5 must first be routed through VPN gateway 252, whereupon the VPN gateway then uses the routing information in the packet to route it to its final destination.
For example, if cable modem CM4 (FIG. 2) wishes to send a packet to cable modem CM5, conceivably it should be possible to route the packet locally, within the HFC network, without requiring that the packet be routed outside the HFC network (e.g. through the backbone network 230 or gateway 252). However, because each of the IPSec tunnels 202a and 204a have been set-up to be secure from end-to-end, the only way CM4 can communicate with CM5 is to first send the packet through gateway 252 via tunnel 202a, whereupon gateway 252 will then forward the packet to CM5 via tunnel 204a. Not only does this technique increase the communication delay between CM4 and CM5, but it also adds to traffic congestion across the backbone network 230 and gateway 252.
Accordingly, there exists a continual need to provide improved techniques for implementing and managing VPN flows over public or shared infrastructures.
According to specific embodiments of the present invention, a technique is provided for managing VPN packet flows over access networks such as, for example, cable networks or wireless networks in which the nodes of the network use a shared access channel to communicate with a Head End in the network. Each node in the access network typically has an identifier or ID associated with it which is used at the Head End to uniquely identify that particular node from the other nodes in the network. According to the technique of the present invention, and as explained in greater detail below, the node ID may be used at the Head End of the network to identify not only the corresponding node, but also to identify any virtual private networks (VPNs) of which the corresponding node is a member.
According to specific embodiments of the invention, a method and computer program product are provided for routing packets from a first network node to a second network node in a data network. The data network includes an access network having at least one Head End device and a plurality of nodes. The access network further includes at least one shared access channel used by the first and second nodes to communicate with the Head End device. The first and second nodes are members of a first virtual private network (VPN) which is associated with at least one first VPN Customer Edge device. A packet is received from the first node. The packet includes an ID associated with the first node and includes routing information for routing the packet to a destination address associated with the second node. The packet is then examined to identify the ID of the first node. Once identified, the first node ID is used to determine whether the first node is a member of at least one VPN. An additional aspect of this embodiment provides that the routing information within the packet may be used to determine whether the second node is a member of the same VPN as the first node. A further aspect of this embodiment provides that the packet may be routed to the second node in a manner that does not cause the packet to be routed outside the access network.
Further embodiments of the present invention provide a method and computer program product for associating nodes in a data network with at least one virtual private network. The data network includes an access network having at least one Head End device and a plurality of nodes. The access network further includes at least one shared access channel utilized by a first node and a second node of the plurality of nodes to communicate with the Head End device. When the first node communicates with the Head End device, a determination is made as to whether the first node is a member of at least one VPN. If it is determined that the first node is a member of at least one VPN, an ID of the first node will be mapped or linked to the particular VPN(s) of which the first node is a member. By linking or mapping the first node ID to any VPN(s) associated with the first node, the Head End is subsequently able to use the node ID-VPN association to route packets between nodes residing on the access network which are part of the same VPN. Moreover, an additional aspect of this embodiment provides that such packets may be routed between nodes within the access network belonging to the same VPN without routing the packet outside the access network.
Other embodiments of the present invention are directed to a method and computer program product for associating nodes in a data network with at least one virtual private network (VPN). The data network includes an access network having at least one Head End device and a plurality of nodes. The access network further includes at least one shared access channel utilized by a first and a second node of the plurality of nodes to communicate with the Head End device. A communication from the first node in the access network is received. An address of the first node is then identified, wherein the address is specific to the network on which the first node resides. The address is then used to determine whether the first node is associated with at least one VPN. According to one aspect of this embodiment, the address is an IP address of the first node. According to another aspect of this embodiment, the address is a MAC address of the first node.
An additional embodiment of the present invention provides a method of configuring a Head End of an access network to route packets from a first node to a second node in the network. The access network includes at least one shared access channel utilized by a plurality of nodes in the access network (including the first and second nodes) to communicate with the Head End. The first and second nodes are members of a first virtual private network which is associated with at least one first VPN Customer Edge device residing outside the access network. Particular network nodes on the access network are associated with corresponding VPNs. The first node is also assigned an ID specific to the access network. The assigned ID and the first VPN are then associated or linked together to thereby cause the first node to be associated with a first VPN. In one aspect of this embodiment, a provisioning server may be used to make the association between a particular network node on the access network and its corresponding VPN(s). Alternatively, a different aspect of this embodiment provides that the Head End or the CMTS is configured to make the association between a particular node of the access network and its corresponding VPN(s).
A further embodiment of the present invention is directed to a Head End of an access network. The network comprises a plurality of nodes which communicate with the Head End via at least one shared access channel. The Head End comprises at least one processor; memory in communication with the at least one processor; and at least one interface for communicating with the plurality of nodes. The Head End is configured or designed to manage virtual private network flows within the access network in a manner allowing routing of packets between at least two nodes in the network which are members of the same VPN. Further, the routing of packets between at least two nodes in the network which are members of the same VPN may be accomplished without routing such packets outside the access network. An additional aspect of this embodiment provides that the memory is configured or designed to store node ID information relating to the plurality of nodes in the network, where each node of the plurality of nodes is uniquely identified by a corresponding node ID. A further aspect of the this embodiment provides that the memory is also configured or designed to store node ID-VPN mapping information linking a particular node ID to at least one VPN of which the corresponding particular node is a member.